Virtual Private Network, generally referred to as VPN enlarges a private network throughout a public network. This allows users to transfer and receive data across mutual or public networks as if their computing devices were connected expressly to the private network.
Applications operating across a VPN tend to subsist from the capability, security, and administration of the private network. Obscuring information to make it unreadable except via special means is a popular, but not an intrinsic part of a VPN connection.
The virtual private network technology was designed to supply entry to corporate applications and resources to users on the go, from remote locations, and to branch offices. The private network connectivity may be set up using an encoded, layered tunnelling protocol for security.
Users may be requested to go through various verification methods to gain entry to the VPN. In other applications, internet users may insure their connectivities with a virtual private network to bypass access to users from certain countries. It also bypasses censorship or links to auxiliary servers to conceal personal identity and location to stay unknown on the internet.
However, access to recognized IP addresses is denied by some websites that use the virtual private network to avoid the bypassing of their restrictions on specific regions and territories. Multiple providers or the virtual private network have been coming up with strategies to navigate these restrictions or hindrances.
A virtual private network is designed by setting up a virtual end-to-end connection via dedicated, closed routes or tunnelling protocols over established networks.
A virtual private network available from the public internet can supply some of the advantages of a vast area network. From a user’s perspective, the resources present within the private network can be gained entry to, remotely.
Table of Contents
- Types of virtual private network
- Security mechanisms of the virtual private network
- Building blocks of a provider-provisioned virtual private network
- Trusted delivery networks
- Types of VPN deployment
- Networking limitations
- Virtual private network services
Types of virtual private network
Three extensive classifications of VPNs exist. They include remote access, intranet-based site-to-site, and extranet-based site-to-site. While each user most often uses remote access VPNs, businesses or corporate organizations use site-to-site VPNs more frequently.
Early setups of data networks enabled VPN-styled connectivities to remote sites via a dial-up modem or leased line links, using X.25, Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits. These virtual circuits are provided via networks founded and managed by telecommunication carriers.
These networks are not regarded as genuine virtual private networks, because they passively insure the information being conveyed by logical data streams.
They have been supplanted by virtual private networks established on IP and IP/Multi-protocol Label Switching (MPLS) Networks, because of considerably lesser costs and enhanced bandwidth.
These recent improvements were provided by novel technologies such as digital subscriber line (DSL) and fibre-optic networks. Virtual private networks can be distinguished as host-to-network or remote access by linking one computer to a network or site-to-site to connect two networks.
In a corporate environment, remote-access virtual private networks enable employees to access the company’s intranet from the external premises. Site-to-site virtual private networks allow collaborators in geographically separate offices to use the same virtual network collectively.
A virtual private network can also interconnect two similar networks over a different intermediate network; for instance, two IPv6 networks connected over an IPv4 network. Virtual private network systems may be categorized by:
- The set of formal rules for tunnelling which are utilized to channel the traffic
- The tunnel’s discontinuation point location, e.g., on the customer edge or network-provider edge
- the type of node arrangement in a communication network, such as site-to-site or network-to-network
- the levels of security provision
- the OSI layer they show to the connecting network, such as Layer 2 circuits or Layer 3 network connection
- the number of synchronic connectivities.
Security mechanisms of the virtual private network
Virtual private networks are incapable of making online connectivities absolutely anonymous; however, they can enhance privacy and security.
To avoid personal information exposure, virtual private networks usually permit only verified remote access, making use of tunnelling protocols and encryption methods.
The virtual private network security model provides:
- Secrecy to the extent that even if the network traffic is detected at the packet level, the detector would only see encoded data
- Sender verification to avoid users without authorization from having access to the VPN
- Message integrity to sniff any event of tainting or impairing transmitted messages
Secure virtual private network protocols include:
- Internet Protocol Security (IPsec) was first designed by the Internet Engineering Task Force (IETF) for IPv6, which was needed in all standards-compliant executions of IPv6 prior to RFC 6434 making it only a recommendation.
This standards-established security protocol is also popularly utilized with IPv4 and the Layer 2 Tunneling Protocol. Its design aligns with most security goals: availability, integrity, and confidentiality. IPsec utilizes encoding, encapsulating an IP packet inside an IPsec packet. De-encapsulation occurs at the extreme of the tunnel, where the authentic IP packet is decoded and relayed to its intended destination.
- Transport Layer Security (SSL/TLS) can channel the entirety of a network’s traffic (as it does in the OpenVPN project and SoftEther VPN project) or protect individual connectivity.
Some vendors offer remote-access virtual private network functionalities through SSL. An SSL virtual private network can link from locations where IPsec runs into trouble with Network Address Translation and firewall regulations.
- Datagram Transport Layer Security (DTLS) utilized in Cisco AnyConnect VPN and in OpenConnect VPN to provide solutions to the challenges SSL/TLS has with tunnelling over TCP. Channelling TCP over TCP can trigger huge delays and abort connectivity
- Microsoft Point-to-Point Encryption (MPPE) works in conjunction with the end-to-end tunnelling protocol and multiple suitable implementations on a host of other platforms.
- Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels end-to-end Protocol (PPP) or Layer 2 Tunneling Protocol traffic via an SSL/TLS channel. SSTP was launched in Windows Server 2008 and Windows Vista Service Pack 1.
- Multi-Path Virtual Private Network (MPVPN). Ragula Systems Development Company founded the registered trademark “MPVPN”.
- Secure Shell (SSH) VPN – OpenSSH offers VPN channelling, which differs from port forwarding, to protect remote links to a network or inter-network links. OpenSSH server provides a restricted number of concurrent channels. The virtual private network feature itself does not support personal verification.
- WireGuard is a protocol. In 2020, WireGuard support was attached to both the Linux and Android kernels, offering it up for adoption by virtual private network providers.
Typically, WireGuard uses Curve25519 to exchange keys and ChaCha20 for encoding and reserves the ability to pre-share a symmetric key between the user and the server. Almost all commercial virtual private networks embraced this protocol as the default one.
Tunnel extremes must be verified before protected virtual private network tunnels can be set up. The user-created remote-access virtual private network tends to utilize passwords, biometrics, two-factor authentication or other cryptographic options.
Protocols regarding tunnelling can run in an end-to-end network topology that would, in theory, not be regarded as a virtual private network. This is because a virtual private network by definition is supposed to uphold arbitrary and dynamic sets of network nodes.
However, since most router executions support a software-based tunnel interface, customer-provisioned virtual private network frequently is defines channels operations on conventional routing protocols.
Building blocks of a provider-provisioned virtual private network
The elements that comprise the provider-provisioned virtual private network includes the following:
- Customer (C) devices: This is a device within the network of a customer and not expressly linked to the service provider’s network. C devices are unaware of the virtual private network.
- Customer (CE) edge device: This is a device at the fringes of the network of the customer which offers entry to the PPVPN. Often, it is just a division point between provider and customer responsibility. A host of other providers enable customers to configure it.
- Provider edge (PE) device: This is a device or set of devices, at the fringes of the network of the provider which links to the networks of the customer via customer edge devices and shows the provider’s view of the customer site. Provider edge devices are aware of the virtual private networks that link through them and sustain a virtual private network state.
- Provider (P) device: This is a device that functions within the interior of the core network of the provider and doesn’t expressly interface to the endpoint of any customer. For instance, it might offer routing for multiple provider-operated tunnels owned by various customers’ PPVPNs.
While the provider device is an integral part of implementing PPVPNs, it is not inherently aware of the virtual private network and doesn’t sustain VPN state. Its primary task is enabling the service provider to scale its PPVPN offerings, for instance, by functioning as an accumulation point for multiple PEs. P-to-P links, in such a task, are frequently high-capacity optical connections between primary locations of providers.
Trusted delivery networks
Verified virtual private networks do not utilize cryptographic channelling. They instead depend on the security of a provider’s network to insure the traffic, and they include:
- Multi-Protocol Label Switching (MPLS) frequently lays over virtual private networks, often with service quality control over a trusted delivery network.
- L2TP which is a replacement based on standards, and a compromise using the right characteristics from each, for two proprietary VPN protocols: Cisco’s Layer 2 Forwarding (L2F) (no longer in use as of 2009) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP).
From the security perspective, virtual private networks rely on the underlying delivery network or must implement security with mechanisms in the virtual private network.
Except for the trusted delivery network functions among physically protected sites only, the reliable and protected models need a verification mechanism for users to gain entry to the virtual private network.
Types of VPN deployment
Virtual private networks in mobile environments
Users use mobile VPNs in environments where an extreme point of the virtual private network is not designated to a singular IP address. Instead, it wanders across different networks such as data networks from cellular carriers or between various Wi-Fi entry points.
It does this without ending the secure VPN session or failing to sustain application sessions. Mobile virtual private networks are vastly utilized in public safety where they give law-enforcement officers entry to applications such as computer-aided dispatch and criminal records.
It also applies to other organizations with similar demands, such as Field service management and healthcare.
VPNs on Routers
With VPNs becoming more popular and common, several users have begun deploying VPN connectivity on routers for extra security and encoding data transfer by employing different cryptographic methods.
Home users generally deploy virtual private networks on their routers to secure devices such as smart TVs or gaming consoles, which are not compatible with native VPN clients.
Compatible devices are not limited to those capable of running a VPN client. Several router manufacturers provide routers with built-in VPN clients. Some utilize open-source firmware such as DD-WRT, OpenWRT, and Tomato to be compatible with additional protocols such as OpenVPN.
Establishing VPN services on a router demands in-depth knowledge of network security and cautious installation. Trivial misconfiguration of VPN connectivities can make the network vulnerable. The performance will differ depending on the Internet service provider (ISP).
One limitation of conventional virtual private networks is that they are end-to-end connections and do not tend to be compatible with broadcast domains.
Communication, software, and networking, founded on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully compatible with a local area network.
Variants on VPN such as Virtual Private LAN Service (VPLS) and layer 2 channelling protocols are developed to solve this limitation.
It is extremely difficult to conceal Tor use from Internet Service Providers (ISP) using a virtual private network since technical analysis has shown this goal to be too difficult to be pragmatic. VPNs are prone to attacks referred to as website traffic fingerprinting.
Both the ISP and a local network administrator can check with ease if links are made to a Tor relay and not a usual web server.
The target server communicated through Tor can learn whether the communication is sourced from a Tor exit relay by looking up the publicly accessible list of recognized exit relays. For instance, The Tor Project Bulk Exit List tool could be utilized for this purpose.
Virtual private network services
A broad variety of commercial entities offers VPNs for all manner of purposes. Still, they frequently don’t create a true “private network” with anything of significance on the local network due to the provider and the application. Despite that, the term is becoming more common.
The general public primarily uses the term “VPN service” or “VPN” particularly for a commercially distributed product or service that uses a virtual private network protocol to channel internet traffic.
This is so that an IP address of the service provider’s server seems to the public to be the user’s IP address. Relying on the features adequately implemented, the user’s traffic, location and/or real IP address may be concealed from the public.
This offers the preferred internet access features such as internet censorship bypass, traffic secrecy, and location-based internet restriction.
They channel the user’s internet traffic securely only between the public internet and the user’s device. There is usually no way for a user to be linked to the same virtual private network to detect each other.
These virtual private networks can be set up on the usual VPN protocols or more concealed VPN implementations like SoftEther VPN. Nonetheless, auxiliary protocols like Shadowsocks are utilized as well. These virtual private networks are typically advertised as privacy protection services.
From the client’s perspective, a usual VPN setup is programmed not to be a conventional VPN. However, it usually uses the VPN of the operating system interfaces to retain the user’s data to transmit. This contains virtual network adapters on computer OSes and highly skilled “VPN” interfaces on mobile operating systems. A less popular option is to offer a SOCKS proxy interface.
Users must consider that when the relayed content is not encoded before entry into a VPN, that data is easily accessible at the receiving end, which is usually the public VPN provider’s site. It doesn’t matter whether the VPN tunnel wrapper itself is encoded for the movement between nodes.
The only protected VPN is where the users have oversight at both sides of the whole data path, or the content is encoded before it gains access to the tunnel provider.
As of March 2020, an approximate of over 30% of Internet users across the world use a commercial VPN, with that number considerably more prominent in the Middle East, Asia, and Africa.